After the CPU manufacturer Intel was confronted with a vulnerability in its processors called Downfall this summer, legal disputes are now arising in the United States. According to The Register, some customers accuse the company of being aware of the flawed instructions underlying Downfall five years ago.
Despite this knowledge, the manufacturer allegedly took no action and continued to sell billions of insecure CPUs, as stated in the lawsuit filed in a court in the U.S. state of California (PDF). In 2018, Intel reportedly received two separate vulnerability reports from third-party researchers related to investigations into Spectre and Meltdown, which indicated potential side-channel attacks through the AVX instruction set. Downfall emerged from these reports this year.
Since the company did not take any measures over the years, buyers of affected Intel CPUs now have no choice but to apply a patch that reportedly reduces performance by up to 50 percent.
Downfall Allows Data Theft
Discovered by a Google security researcher in August of this year, Downfall is registered as CVE-2022-40982. The vulnerability allows an attacker to extract sensitive data from other users of a vulnerable system, including passwords, bank details, encryption keys, and other valuable information. Remote exploitation is also possible through the use of malware.
The security flaw discoverer warned that cloud environments are particularly at risk, where an attacker could exploit Downfall to harvest credentials of other users. CPUs from the 6th to the 11th Intel Core generations, covering all microarchitectures from Skylake to Rocket Lake, are affected. Xeon Scalable processors based on Skylake-SP, Cascade Lake-SP, and Ice Lake-SP are also vulnerable to Downfall.
While Intel has released new microcode to address the security flaw, it comes with performance losses. The manufacturer itself claims that performance could decrease by up to 50 percent. However, benchmarks conducted by Phoronix suggest that the losses are significantly lower in many cases, depending on the application scenario.
READ MORE: Starlink Users Face Account Resets and Confusion in Unexpected Email Incident
